1. Field of Invention
The invention relates generally to data network communications and more particularly to a technique for high performance asymmetric network communication and thwarting network based attacks, such a denial-of-service attack.
2. Description of Related Art
In computing, a denial-of-service attack is an attempt to make a machine or network resource unavailable to its intended users. One common method of attack is to overload the server. This involves saturating the target machine with external communications requests so it cannot respond to legitimate traffic or responds so slowly that it is basically unavailable.
In general terms, a denial of service attack is implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim(s) so that they can no longer communicate adequately. Denial of service attacks are generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.
Denial-of-service attacks violate the acceptable use policies of Internet service providers and are illegal. The motives generally include temporary or indefinite interruption or suspension of services of a host connected to the Internet. Targets typically include high-profile web servers such as banks and credit card payment gateways.
In a traditional transmission control protocol (TCP) 3-way handshake, an initial packet with a TCP bit flag SYN is generated from a client to a server. A plurality of intermediary routing and switching devices assure the delivery of the data packet from the client to the server, and vice versa. The server generates a response packet with the TCP bit flags SYN and ACK set. The client then responds with a TCP ACK packet, establishing a completed TCP session.
Upon generation of the initial TCP SYN packet from the client, the server reserves and allocates a predetermined quantity of system resources, including processor, ram, and/or disk for the facilitation of this connection. The server maintains these resources for a predetermined period of time often as long as several minutes. As computer systems have limited resources, an attacker can take advantage of this situation by generating a large quantity of SYN packets to the server, exhausting all system resources. The server will then become unresponsive to legitimate client requests, thus denying service to legitimate clients. This is one embodiment of a “denial of service” attack.
To mitigate these, a number of systems have been designed that may have met needs at one point in time, but are incapable of meeting the current demands of high performance asymmetric network communication as well as complex distributed attacks. These systems lack the performance and the technology necessary to provide successful mitigation of large-scale attacks. The majority of these prior art systems simply “detect” denial of service conditions, but do not actually mitigate this undesirable situation.
When asymmetric routing is in place, a data packet originated by a client may arrive in New York, destined for a server in Los Angeles. The response packet from the server would then be transmitted from Los Angeles to the Internet. The intermediary system in Los Angeles would prohibit the data packet from leaving the network as it would not be a validated data packet. Conversely, the intermediary system in New York would prohibit further inbound communication as the communication was never completed.
Prior art systems do not provide a mechanism for global state management of session state to solve challenges met during global distribution of these monitoring and mitigation systems. They describe an overview process of transmitting control messages to other intermediary systems, but do not provide reduced steps to produce such a global system. They further describe systems for securely establishing secure communication utilizing hash cookies, but do not describe this process in a manner that is usable in today's Internet environment.